Bug 486739

Summary: satellite install, selinux denials MonitoringScout
Product: Red Hat Satellite 5 Reporter: wes hayutin <whayutin>
Component: InstallerAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED NOTABUG QA Contact: wes hayutin <whayutin>
Severity: medium Docs Contact:
Priority: low    
Version: 530CC: bperkins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: na
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-16 14:01:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 457079    

Description wes hayutin 2009-02-21 16:27:32 UTC
Description of problem:
satellite install, selinux denials Monitoring Scout
Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso

clear audit log
install latest satellite iso
check audit log


type=AVC msg=audit(1235187498.928:388): avc:  denied  { read write } for  pid=9401 comm="MonitoringScout" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:sp
acewalk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1235187498.928:388): avc:  denied  { read write } for  pid=9401 comm="MonitoringScout" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:sp
acewalk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1235187498.928:388): avc:  denied  { read write } for  pid=9401 comm="MonitoringScout" path="socket:[7020]" dev=sockfs ino=7020 scontext=root:system_r:sp
acewalk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

Comment 1 Jan Pazdziora 2009-02-24 11:14:34 UTC
What did you do after that installation? After the installer said

* Deploying configuration files.
* Update configuration in database.
* Setting up Cobbler..
* Restarting services.
Installation complete.
Visit https://your-satellite.redhat.com to create the RHN Satellite
administrator account.

what other steps did you make? Did you go to the WebUI and activate monitoring? Or is this without even activating monitoring?

Comment 2 Jan Pazdziora 2009-02-24 11:30:36 UTC
Generally, these look like leaked descriptors from whatever automation tool you are using.

Please provide info about how exactly you run those installations.

Comment 3 wes hayutin 2009-02-24 13:51:11 UTC
Then sat install ran, then I get the audit log...
nothing.. else was done

Comment 4 Jan Pazdziora 2009-02-25 08:04:56 UTC
Wes confirmed that the installation was run under screen and that re-running the installation without screen does not generate the AVC denials. So currently it looks like leaked file descriptor in screen.

Comment 5 wes hayutin 2009-02-25 18:59:08 UTC
running w/ the correct version of screen did NOT produce this error..
I think we can close this.

Comment 6 wes hayutin 2009-02-25 20:48:56 UTC
recreated this error on a x86_64 install w/o screen
type=AVC msg=audit(1235593563.492:118): avc:  denied  { sigchld } for  pid=9971 comm="MonitoringScout" scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:system_r:initrc_t:s0 tcla
ss=process


[root@test02-64 ~]# ps -ef | grep 9971
root     26849 20185  0 15:48 pts/1    00:00:00 grep 9971

Comment 7 Jan Pazdziora 2009-02-26 08:50:34 UTC
Wes, the original report was not about sigchld, if was about read/write on unix_stream_socket. It's not the same issue. We will need new, full bugzilla, describing exactly what you did when you got this sigchld denial -- was it during installation, when services were first restarted, when you activated monitoring, etc.

Comment 8 Jan Pazdziora 2009-03-16 13:59:37 UTC
The same problem as bug 486742: screen possibly leaking descriptors was leading to AVC denials. Closing as NOTABUG as it's not strictly speaking a duplicate -- the cause was the same but the symptoms showed in different programs.